<script src="../resources/testharness.js"></script>
<script src="../resources/testharnessreport.js"></script>
<script>
test(function () {
    // http://username@password:localhost:8000/... should be blocked.
    var originWithAuth = new URL(document.URL);
    originWithAuth.username += 'username';
    originWithAuth.password += 'password';
    originWithAuth = originWithAuth.href;

    assert_throws_dom('SecurityError', function () {
        history.pushState(null, null, originWithAuth);
    });
}, 'pushState that changes credentials should fail with SecurityError');
</script>
